About the SurfaceCheckr scanner

What we are

SurfaceCheckr is a passive external security-reporting tool. We read what your site already serves publicly - HTML, response headers, linked JavaScript, the TLS certificate (handshake only), public DNS records, and a fixed list of well-known sensitive paths. We never authenticate. We never send attack payloads. We never POST. We never extract user data.

How to identify our traffic

Our scanner uses a stable User-Agent of the form:

Mozilla/5.0 (compatible; SurfaceCheckrScanner/1.0; +https://surfacecheckr.com/scanner-info)

All scans originate from a small set of static IPs which we publish at /scanner-ips. Reverse DNS resolves these to scanner-NN.surfacecheckr.com.

Opting out

If you don't want SurfaceCheckr to scan your domain, you have two options:

1. Email [email protected] from any address at the domain. We honour opt-outs within 24 hours.
2. Publish a file at /.well-known/surfacecheckr-optout whose body contains the line surfacecheckr-optout. We respect this immediately. (We check the contents, not just that the file exists, so a catch-all server that returns 200 for every path won't accidentally opt you out.)

We never publish a grade for a domain whose operator hasn't asked. Results are visible only to the requester via the unguessable UUID URL.

Politeness

Our crawler honours robots.txtDisallow paths for crawl behaviour (we report that they exist, but we don't crawl into them). We cap each scan at 50 pages, 60 seconds, and 2 requests per second per host.

What we don't do

• We don't replace a pentest. We tell you what an attacker can see from outside, not what they can break.
• We don't test authenticated routes, business logic, XSS, SQL injection, IDOR, or anything POST-based.
• We don't use AI to decide what to scan. The AI in our report layer only interprets evidence the deterministic scanner has already collected - it never manufactures findings.